Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 17:59

General

  • Target

    78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe

  • Size

    205KB

  • MD5

    887b35a87fb75e2d889694143e3c9014

  • SHA1

    c8be4500127bfce10ab38152a8a5003b75613603

  • SHA256

    78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae

  • SHA512

    98cf0e201092e6d43a7ec5db4d80e6cc20ec9a983098b04597039b244535f78a4096b76bc62e591336b810fafa302e1009a64be6e788f24dcc8b3ac0c8eb930a

  • SSDEEP

    3072:b2HPbwlPLBkWW+DrxsYwvif/Sx+YzM5ul7SaD82gHxoLoPTI1IL7vtJf:bYT0PLB3QNJz6uhbDju6c3LJl

Malware Config

Signatures

  • Renames multiple (850) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
    "C:\Users\Admin\AppData\Local\Temp\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe
      "C:\Users\Admin\AppData\Local\Temp\78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\YOUR_FILES_ARE_DEAD.HTA

    Filesize

    64KB

    MD5

    9e6b8c54e0524be8dd90c966b6e95ac0

    SHA1

    e31b51250f757877d176b11bed4f5e1d1a927e92

    SHA256

    93ca5b210c0058a890009ddd9c897ac93bc6c2679332743625ef547ae8766305

    SHA512

    167daf78a8b31e8b66761b2b8f24f520bf628085a24a4d07fdde39080aa7943f302f1c5f5498843418230276485406ae5d9e40ab2614ccb80e3b7710f74e930d

  • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

    Filesize

    153B

    MD5

    4409c9e98062a5f757e3c8e3fee839bc

    SHA1

    6e20ffdfcb864270e763c9f4617049a821a6f401

    SHA256

    b8450b62b5134f0dae7eb5fce76c80148c2a8d0779cec2b3bd8bef90da05f61c

    SHA512

    b0d518004358c42a2d409f51746af16e43de4ccd619652330b9ee7a9e63104c32d82270e8435b34e8077ec0de1554c595b6c2f98106c01b509adb2457daa4f1d

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

    Filesize

    12KB

    MD5

    183e29c93888b0d2c4d6ddbf631b82b5

    SHA1

    573e5626fff28e569bf384ef3996af24a7a2f5c4

    SHA256

    a66c1a5eef6b01b78931da6d0f8d327acabe23bfcc6285b0477704c7a860ef78

    SHA512

    9b58d02e98c6be11667a2d8b098c80f246249b8a1bf8f80ca18c26283494bd6923b568f37159b72bc220da0a51fe0ff5475b3cccfb9a14d4a6bbafc7f68d1e86

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

    Filesize

    8KB

    MD5

    138d7f4c76025b1f7415fe5c60eabe7b

    SHA1

    f9623da64f753e4993761af23d9da4880258c7d3

    SHA256

    ae3e8b032799e6cae95820c19f27d5701b3ae308874ca1e008efe7ba3ced1220

    SHA512

    7ccdb148ac0dceab39a4884df0c0a334e33f5ac277e08e70939b22cb88f79e283d74c2765e59a16142742f5b71f7fe7b22c2baf6de0cd16ca8c5fb46e4e8afdd

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

    Filesize

    11KB

    MD5

    44ea6f08a52b4a8a3fb8adf59f2623b9

    SHA1

    6267a7e0a48920c165116a89188b47ca988cec4a

    SHA256

    54987f29afbd7614df6b4f7f851644a8bf056b93ad741bc644dd025a7c2d868b

    SHA512

    1e632e5fb7f011174775875801452b7d5c52846a59581413ccbb196c55e5d259a90221ec0b5a50ec9b51dca0608a258487087b6f48c46dd45ba321bae3416140

  • C:\Users\Admin\AppData\Local\Temp\CabBBB3.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarBC71.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2444-63-0x0000000073E00000-0x00000000743AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2444-1-0x0000000073E00000-0x00000000743AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2444-0-0x0000000073E01000-0x0000000073E02000-memory.dmp

    Filesize

    4KB

  • memory/2956-38-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

  • memory/2956-46-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

  • memory/2956-43-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

  • memory/2956-40-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

  • memory/2956-49-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

  • memory/2956-52-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

  • memory/2956-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2956-58-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

  • memory/2956-62-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB

  • memory/2956-36-0x0000000000070000-0x0000000000090000-memory.dmp

    Filesize

    128KB